Despite all the massive data breaches making headlines, most healthcare organizations are still playing catch-up on implementing strong, risk-based security programs, and are instead focusing primarily on a HIPAA compliance approach, says David Finn, health IT officer for security vendor Symantec. His conclusions are based on the results of a new study Symantec conducted with HIMSS Analytics, a unit of the Healthcare Information and Management Systems Society.

Many healthcare organizations still "think of security as a compliance issue, because of the requirements under HIPAA, and as an IT problem rather than the real business problem that it is," he says in an interview with Information Security Media Group.

Finn previewed results of the new survey of about 100 healthcare sector CIOs and CISOs about security issues. He will further discuss the survey results during a March 2 presentation at the HIMSS 2016 Conference in Las Vegas.

"Some of the recent hacks ... [and] ransomware attacks have really highlighted that this is a business issue, and not an IT issue. And what we have learned painfully is that just checking boxes and meeting regulatory requirements doesn't really give you security. You actually have to do something rather than just look at policies and procedures. You have to implement things and follow up."

Based on the survey findings, "we're getting some insights that if the big organizations are not investing the money, the people and the resources, then certainly the smaller organizations are probably doing less," Finn says.

Addressing Business Risks

Many of the organizations surveyed still rely on their IT teams for security and risk management. "But these are business risks, and to make IT responsible for assessing risk across a healthcare organization really doesn't make sense. They don't have the skills, they don't have the focus, and that isn't their job. Their job is to provide information technology and IT services," he says.

Responsibility for setting data security rules "needs to be pushed up the ladder, to get the business units ... the CEO, the CFO involved in assessing what can and can't be at risk, and what are acceptable levels of risk."

In this interview (see audio link below photo), Finn also discusses:

The continuing under-investment in security programs by healthcare sector organizations;

Why health data is an increasingly valuable target for cybercriminals and fraudsters;

Why the cybersecurity of biomedical devices is "the big train wreck we're waiting to see."

Prior to joining Symantec, Finn was the CIO and vice president of information services for Texas Children's Hospital, where he also previously served as the privacy and security officer. Earlier, Finn spent seven years as a healthcare consultant with Healthlink - formerly IMG - and PriceWaterhouseCoopers. Finn has more than 30 years of experience in the planning, management and control of information technology and business processes.